Re: Linking a cookie to an IP address is a very bad in 2015...

Are you sure this is only NAT and not some proxies?
(this could be transparent proxies)

in case your public IP address changes even your phone RFC 1918 address 
doen't change can have a logic reason: it is not said that there is only 
one node for one mobile operator; it can have two or more nodes; and 
every node has the same DHCP range; and now you move from one node to 
the next node; in case the RFC1918 address from the first node is 
available at the second node, there is no reason to give you a different 
RFC1918 address, but you have a different public address; the other 
case, that your RFC1918 address from the first node is already taken at 
the second node, would not make any difference; you get a different 
RFC1918 address, too;

when talking about Thalys, there you could probably have a seat with a 
power plug for a portable computer (please don't talk about phones)
and maybe the train offers a public WLAN, too;

now compare someone using this with a portable computer 
(notebook/laptop) and you with your phone;
and now think of your session and maybe a VPN tunnel between this 
portable computer and his/her home/company;
your session cannot be any longer as the VPN tunnel stays available 
without having to reinitiate because of "breakdowns"

these "breakdowns" are: change of RFC1918 address and change of public 
address;
(would be strange if these are not)

On 04.04.2015 23:46, Eric Vyncke (evyncke) wrote:
> On the Thalys, we usually change of country (hence also of mobile 
> operator) every 45 minutes :-)
>
> Else, mobile operators are heavily relying on NAT and some NAT are not 
> RFC 6888 compatible (i.e. They keep changing your public IP address 
> even if your phone RFC 1918 address stays the same).
>
> In short, NEVER link a session cookie/state to an IP address ;-)
>